Alexander Gall (gall) writes:
> > But why would a hardware implementation be better than, for instance,
> > SoftHSM?
>
> A hardware HSM allows you to detect when your keys get stolen
> (provided the hardware does not implement extraction of the keys, of
> course). In our case, this is the *only* reason we use a HSM at all.
Does HSM imply tamper-proof ? If so, then yes, otherwise, you could very
well embed a small Atom device running SoftHSM with a smart card reader
for key import/export, drown the entire thing in epoxy, package the
thing
in a tamper proof cabinet, and you've got an HSM.
I think the main idea with doing it with an FPGA is: speed, power
consumption, reduced size. That makes it easier to audit, easier to
protect. But arguably this could all be done with a Raspberry Pi as
well, if you're not in a hurry.
Phil
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
